According to the Information Commission, personal data breaches are any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It is really important that colleagues report any potential breaches immediately to the Data Protection Officer.

Accidental or unlawful destruction

When we collect and process personal data, we need to inform the people we collect it from (the data subjects) a range of information, including how long we will keep it for. We are required to ensure that the personal data is securely stored for that period of time and no longer. But this can sometimes go wrong:

• A student registers for a car parking permit for the year; their name, address and car registration number are added to the Car Parking Permit Register. Three months later, they find a ticket on their car and complain to the University. On investigation, their entry in the register was inadvertently deleted during an audit. This would constitute a personal data breach as we have accidentally destroyed their personal data.
• A member of staff raises a Subject Access Request (SAR) asking for any personal data held by their previous manager. The Data Protection Officer speaks to the manager and requests the relevant material but the manager, knowing there are some less than professional messages saved on their laptop, deletes them permanently before any searches can be made. This is an example of unlawful destruction and constitutes a criminal offence.

Loss

Similar to accidental or unlawful destruction, there may be times when we collect personal data and due to logistical and/or administrative issues we lose track of where it is held. For example:

• On Friday a researcher collected paper surveys containing personal data and left them unmarked on a lab shelf to digitise on Monday. During a weekend lab move the unlabelled box was placed in long term storage and on Monday the researcher could not locate it; the movers confirmed it was stored without labels so its exact location is unknown. Until the box is recovered this is a personal data breach, since the data is uncontrolled and data subject rights cannot be exercised.

Alteration

The principles of data protection legislation require all personal data processing to be accurate and appropriately secure, so any changes in personal data that compromise these principles would constitute a personal data breach. For example:

• While tutoring a small group a professor left their laptop unlocked to take a phone call. Students altered grades (their own and others’) and when the professor returned, they didn’t notice, and confirmed the changes. As personal data was deliberately altered and security was inadequate, this is a personal data breach affecting all students involved, including those who changed their own grades.

Unauthorised Disclosure and/or Access

When personal data is collected, there is an expectation that it will only be used by the collector and their partners, and this is reflected in the principles of data protection legislation. Data should only be shared internally with relevant teams and where it is shared externally, it is done so with appropriate partners. The example above in Alteration also demonstrates unauthorised access to personal data. For example:

• A parent of a current student contacts the University asking for their grades as they want to better understand how to help their child. As the parent seems to be acting in their child’s best interests, the colleague sends them the transcripts and notes of the student to the parent without consulting the student. Despite the benevolent intent, this is a personal data breach as it is an unauthorised disclosure of personal data to a third party, despite the familial relation.

So what should I do?

If you encounter, or suspect, a personal data breach then you should immediately inform dataprotection@bath.ac.uk . If the risk is likely to pose a high risk to individuals’ rights and freedoms then it needs to be reported to the Information Commissioner within 72 hours of the breach being initially detected.